User Guide Scoring Formulas v2.0.0

CertControl gives your team full control over TLS/SSL certificates across all endpoints — both public and internal. Automatic scanning, intelligent security findings, real-time monitoring of Certificate Transparency logs, on-premise agent scanning behind firewalls, and proactive notifications — all in one platform.

Features

Automatic TLS Scanning
Scheduled scanning of all endpoints with configurable frequency. TLS versions, cipher suites, certificate chain and validity.
Intelligent Security Findings
14 finding types: expiring certificates, weak TLS, SAN mismatch, dangling domains, weak key, SHA-1, missing HSTS/CAA and more.
Security Score
Automatic security grading (A+ to F) for each endpoint based on TLS version, cipher, certificate and chain health.
Certificate Inventory
Unified overview of all certificates with expiry date, fingerprint, chain validation and risk status. Upload and inspection of PEM/DER.
Subdomain Discovery
Automatic discovery of subdomains via Certificate Transparency logs (crt.sh). Find unknown endpoints.
CT Log Real-time Monitor
Continuous monitoring of CT logs for new certificates. Alerts for unknown/unauthorized certificates with acknowledge flow.
CSR Generator & Decoder
Generate PKCS#10 CSRs with RSA/EC keys and SAN. Decode existing CSRs for inspection.
Keystore Inspection
Upload and inspect JKS and PKCS#12 keystores. View certificates, aliases and key details.
SSL Converter
Convert certificates between PEM, DER and PKCS#7 formats. All 6 conversion directions supported with result download.
Certificate Key Matcher
Verify that a certificate and a private key match. Supports RSA and EC with key parameter comparison.
Email Notifications
Daily notifications for expiring certificates and weekly summary reports via SMTP.
Webhook Integrations
Generic webhooks for Slack, Teams, PagerDuty and more. HMAC-SHA256 signature, retry with backoff and delivery log.
HTTP Security Headers
Automatic check for HSTS header, CAA DNS records, weak keys and SHA-1 signatures during scanning.
Role-based Access
Admin, user and live (read-only) roles. Session-based authentication with BCrypt, TOTP 2FA, brute force mitigation and password reset via email.
Hostname Redaction
Irreversible masking of internal hostnames (CN/SANs) before storage. Admin-configurable glob/suffix patterns protect network topology.
Expiry Forecast
12-month certificate expiry chart with stacked bars. Click any month for details with CSV export. Color-coded by urgency.
Domain Management
Monitor domain registrations, expiry dates, DNSSEC status, SPF/DMARC email security, nameservers and full DNS record inspection (A, AAAA, MX, TXT, CAA).
System Health Dashboard
Real-time monitoring of 7 external services (DB, RDAP, WHOIS, crt.sh, DNS, SMTP, Disk) and 8 scheduled task statuses with run history.
Revocation Checking
On-demand certificate revocation status verification via OCSP and CRL. Displays check method, responder URL and CRL distribution points.
Scan Comparison
Select two scans and compare side-by-side. Detect changes in TLS version, cipher suite, certificate chain and fingerprint over time.
Audit Log
Full audit trail of all user actions: login, upload, delete, config changes and more. Filter by action type and username with IP tracking.
Certificate Export
Export certificates as Leaf PEM, full PEM chain, Java KeyStore (.jks), PKCS#12 (.p12) or metadata text. One-click download from endpoint detail.
On-Premise Agent Scanner NEW
Lightweight Docker agent scans internal endpoints behind firewalls. Outbound HTTPS only — zero inbound ports, zero firewall changes. Supports static targets and cloud-pushed configuration.
Secure Data Pipeline NEW
HMAC-SHA256 signed requests, optional mutual TLS (mTLS), and local disk spool for offline resilience. Scan data is never lost even during connectivity issues.
Agent-side Hostname Redaction NEW
Internal hostnames (CN/SANs) are replaced with [masked] before data leaves your network. Original names never reach the cloud. Glob patterns configurable locally or pushed from admin.
Cloud-Pushed Agent Config NEW
Push scan targets, redaction patterns, and scan intervals to agents remotely from the admin UI. Agents pull config automatically — no container restart needed.
Collector Health Monitoring NEW
Real-time status of all deployed agents: heartbeat, version, hostname, endpoint count, spool queue size, memory usage. Auto-detection of inactive agents.
Executive Reports NEW
Four professional report types: Executive Summary with compliance score and 30-day trend, Operational Risk with CRIT/HIGH findings, Expiry Forecast with owner summary, and Change Report tracking certificate/TLS/cipher drift. CSV export and Print/PDF on all reports.
Theme Customization
11 visual themes including dark, light and specialized variants. Per-user preference stored in profile. Instant switching without reload.

Latest News

v2.1
Executive Reports
Four professional report types accessible from the Reports page: Executive Summary (KPIs, grade distribution, compliance score, 30-day trend), Operational Risk (CRIT/HIGH findings grouped by type), Expiry Forecast (bucketed by urgency with owner summary), and Change Report (certificate, TLS, and cipher drift over configurable periods). CSV export and Print/PDF support on all reports.
v2.0
On-Premise Agent Scanner
Lightweight Docker agent for scanning internal TLS endpoints behind firewalls. Outbound HTTPS only — zero inbound ports. HMAC-SHA256 signed requests, optional mTLS, local disk spool for offline resilience, cloud-pushed configuration (targets, redaction patterns, scan intervals), agent-side hostname redaction before data leaves the network, collector health monitoring with heartbeat and diagnostics, OCSP revocation checking, HTTP security header analysis, and admin UI for collector management with API key lifecycle.
v1.9
Consistent UI Redesign
All pages redesigned with consistent card-based layout. Separate cards for input forms and data tables. Inline search and filters on all list views. Env filter on certificates.
v1.8
Hostname Redaction
Irreversible masking of internal hostnames at upload time. Admin-configurable glob/suffix patterns. PEM not stored for redacted certs. Security documentation for reviewers.
v1.7
Password Reset, Expiry Forecast & CT Digest
Password reset via email with time-limited tokens. 12-month certificate expiry forecast chart. CT Log digest emails. CertSpotter as fallback CT source. Dashboard redesign with stat cards. English UI.
v1.6
User Profile & Auto Cleanup
My Profile page with password change and per-user theme selection (11 themes). Automatic cleanup of old scans and inactive findings. CSV export on all pages.
v1.5
Welcome Email, 2FA & Optimistic Locking
Welcome email with temp password and forced change. Optional TOTP two-factor authentication with QR code. Optimistic locking on endpoints. Column sorting.
v1.4
SSL Converter & Key Matcher
Convert certificates between PEM, DER and PKCS#7. Verify that certificate and private key match (RSA/EC). New tabs on the Certificate page.
v1.3
Webhook Notifications
Generic webhook system with HMAC-SHA256 signature and retry. Events for new CRIT/HIGH findings, expiring certificates and summary reports. Admin UI with test and delivery log.
v1.2
HTTP Security Headers Check
Automatic check for HSTS, CAA DNS records, weak key size and SHA-1 signatures. Security Score grade badge on the Overview page.
v1.1
CSR Tools & CT Monitor
CSR Generator & Decoder with RSA/EC. CT Log Real-time Monitor with alerts and acknowledge flow. Root CA in the certificate chain. Weekly summary report.
v1.0
Initial release
TLS scanning, certificate inventory, security findings, work queue, subdomain discovery, email notifications, keystore inspection, role-based access.
CertControl — Attack Surface & Certificate Security Platform
Built with Spring Boot, PostgreSQL & vanilla JavaScript